VYPR
kevPublished Jul 17, 2026· 3 sources

CISA Mandates Urgent Patching for Actively Exploited Fortinet FortiSandbox Flaws

CISA has issued an emergency directive requiring federal agencies to patch two critical Fortinet FortiSandbox vulnerabilities, CVE-2026-39808 and CVE-2026-25089, which are being actively exploited in the wild.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a Binding Operational Directive (BOD) 26-04, mandating federal agencies to immediately patch two critical vulnerabilities affecting the Fortinet FortiSandbox platform. These flaws, identified as CVE-2026-39808 and CVE-2026-25089, have been confirmed to be actively exploited by threat actors in the wild. Federal agencies are required to apply the available patches by Sunday, July 19, to mitigate the risk of compromise.

Fortinet had previously addressed these vulnerabilities in security advisories released on April 14 and June 9, respectively. Successful exploitation of these flaws allows unauthenticated attackers to remotely execute unauthorized code through low-complexity command injection attacks. These attacks require no user interaction, making them particularly dangerous and easy to deploy.

While Fortinet initially did not confirm in-the-wild exploitation, threat intelligence firm Defused reported on June 16 that attackers had begun abusing these vulnerabilities. Defused noted the exploitation of multiple Fortinet FortiSandbox vulnerabilities, including CVE-2026-39808 and CVE-2026-25089, with indications of a potentially faulty exploit for the latter.

CISA's inclusion of these vulnerabilities in its catalog of Known Exploited Vulnerabilities (KEV) underscores the severity and immediate threat they pose. The directive emphasizes the critical need for timely patching to prevent successful attacks against government networks.

This is not the first time Fortinet products have been targeted. In February, Fortinet patched a critical SQL injection vulnerability (CVE-2026-21643) in its FortiClient Enterprise Management Server (EMS) platform, which was also found to be actively exploited. More recently, a path traversal vulnerability (CVE-2025-61624) was addressed, allowing authenticated attackers to escalate privileges.

Fortinet vulnerabilities have historically been a lucrative target for cybercriminals, frequently appearing in cyber espionage campaigns and ransomware attacks, often as zero-day exploits. CISA currently tracks 28 Fortinet vulnerabilities that have been exploited in attacks in recent years, with 13 of those also being leveraged in ransomware operations.

Organizations using FortiSandbox are strongly advised to review their configurations and ensure they are running the latest patched versions. The directive serves as a stark reminder of the ongoing threat landscape and the importance of proactive vulnerability management, especially for critical infrastructure and government systems.

The article from Cyber Security News provides further details on the exploitation of CVE-2026-39808 and CVE-2026-25089 in Fortinet FortiSandbox. It clarifies that both vulnerabilities are OS command injection flaws (CWE-78) and can be exploited remotely by unauthenticated attackers via crafted HTTP requests, allowing arbitrary command execution. The report also emphasizes the broader impact of CVE-2026-25089, affecting FortiSandbox Cloud and PaaS environments in addition to the direct FortiSandbox product.

The new article provides specific details on the two vulnerabilities, CVE-2026-39808 and CVE-2026-25089, both rated critical with a CVSS score of 9.1. CVE-2026-39808, an OS command injection flaw affecting FortiSandbox versions 4.4.0-4.4.8, was patched in 4.4.9. CVE-2026-25089, another OS command injection vulnerability, impacts broader versions including 5.0.0-5.0.5, 4.4.0-4.4.8, all 4.2 versions, and specific cloud/PaaS versions, with patches available in 4.4.9 and 5.0.6.

Synthesized by Vypr AI